[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

[linux-security] local root exploit in Linux kernel



Topic
=====
Local root exploit in Linux kernel.

Problem Description
===================
1) A race condition in the 64bit file offset handling code of the kernel can
lead to a local root exploit: The file offset pointer (f_pos) is changed
during reading, writing, and seeking through a file to point to the current
position in a file. The Linux kernel offers a 32bit and a 64bit API.
Unfortunately the value conversion between this two APIs as well as the
access to the f_pos pointer is defective. These bugs can be abused (mostly
with entries in /proc) by a local attacker to gain access to uninitialized
kernel memory which may contain sensitive information (root password and
alike) (CAN-2004-0415).

2) Several USB drivers leak security sensitive information information to
userspace (CAN-2004-0685).

3) A vulnerability in Linux kernel may allow local users to modify the
group ID of files, such as NFS exported files in kernel 2.4 (CAN-2004-0497).

Affected Systems
================
Linux kernel versions 2.4.x with x < 27 and 2.6.y with y < 8.

Solution
========
Upgrade to kernel versions 2.4.27 or 2.6.8.1 or a patched kernel for your
distribution.

SuSE-8.0
--------
rpm -ivh k_<type>-2.4.18-310.i386.rpm
where <type> is one of deflt, psmp, smp, or i386.

rpm -Fvh kernel-source-2.4.18.SuSE-310.i386.rpm

SuSE-8.1
--------
rpm -ivh k_<type>-2.4.21-238.src.rpm
where <type> is one of deflt, psmp, smp, or athlon.

rpm -Fvh kernel-source-2.4.21-238.i586.rpm

SuSE-8.2
--------
rpm -ivh k_<type>-2.4.20-118.src.rpm
where <type> is one of deflt, psmp, smp, or athlon.

rpm -Fvh kernel-source-2.4.20.SuSE-118.i586.rpm

SuSE-9.0
--------
rpm -ivh k_<type>-2.4.21-238.i586.rpm
where <type> is one of deflt, smp, smp4G, um, or athlon.

rpm -Fvh kernel-source-2.4.21-238.i586.rpm

SuSE-9.1
--------
rpm -ivh kernel-<type>-2.6.5-7.104.i586.rpm
where <type> is one of default, smp, or bigsmp.

rpm -Fvh kernel-source-2.6.5-7.104.i586.rpm

SFU-1.0 (RedHat 7.3)
--------------------
[packages available from ftp://ftp.sfu.ca/pub/linux/1.0/RPMS/]

rpm -ivh kernel<type>-2.4.20-34.7.<arch>.rpm
where <type> is either empty or one of -smp or -bigmem, and <arch> is
one of i386, i586, i686, or athlon.

rpm -Fvh kernel-source-2.4.20-34.7.i386.rpm kernel-doc-2.4.20-34.7.i386.rpm

Mandrake 9.1
------------
rpm -ivh kernel<type>-2.4.21.0.32mdk-1-1mdk.i586.rpm
where <type> is either empty or one of -smp, -secure, or -enterprise.

rpm -Fvh kernel-source-2.4.21-0.32mdk.i586.rpm

Mandrake 9.2
------------
rpm -ivh kernel<type>-2.4.22.36mdk-1-1mdk.i586.rpm
where <type> is either empty or one of -smp, -secure, -enterprise,
-i686-up-4GB, or -p3-smp-64GB.

rpm -Fvh kernel-source-2.4.22-36mdk.i586.rpm

Mandrake 10.0
-------------
rpm -ivh kernel<type>-2.4.25.7mdk-1-1mdk.i586.rpm
or
rpm -ivh kernel<type>-2.6.3.15mdk-1-1mdk.i586.rpm
where <type> is either empty or one of -smp, -secure, -enterprise,
-i686-up-4GB or -p3-smp-64GB.

rpm -Fvh kernel-source-2.4.25-7mdk.i586.rpm
or
rpm -Fvh kernel-source-2.6.3-15mdk.i586.rpm \
         kernel-source-stripped-2.6.3-15mdk.i586.rpm

Fedora 1
--------
rpm -ivh kernel<type>-2.4.22-1.2199.nptl.<arch>.rpm
where <type> is either empty or -smp and <arch> is one of i386, i586,
i686, or athlon.

rpm -Fvh kernel-source-2.4.22-1.2199.nptl.i386.rpm \
         kernel-doc-2.4.22-1.2199.nptl.i386.rpm

Fedora 2
--------
rpm -ivh kernel<type>-2.6.7-1.494.2.2.nptl.<arch>.rpm
where <type> is either empty or -smp and <arch> is one of i586 or i686.

rpm -Fvh kernel-sourcecode-2.6.7-1.494.2.2.noarch.rpm \
         kernel-doc-2.6.7-1.494.2.2.noarch.rpm